Ford's 400,000-car recall could be the tip of an auto security iceberg

‘Needed’ OTA updates bring their own ‘security challenges’

Ford’s recall of more than 400,000 cars in North America to fix a software bug may be just the first of many for the motor industry as automobiles become increasingly complex, security researchers warn.

As previously reported, a total of 433,000 2015 Focus, C-MAX and Escape cars are being recalled to dealerships for a software update as a result of the snafu – which means drivers may not be able to turn off engines on some of the latest vehicles, even if they remove the ignition key – as a notice by the car maker explains.

Dealers will update the body control module software at no cost to the customer, Ford promises.

Ken Munro, a director at security consultancy Pen Test Partners, and a security researcher who has investigated aspects of electronic car insecurity, told El Reg that updates of this type will become more commonplace as car makers pack more and more complicated electronics into vehicles.

“As manufacturers cram more software into cars, the potential for more security and functionality bugs increases. More bugs = more recalls, which will be a pain for customers and expensive for manufacturers as cars have to go to service centres for patching,” he added.

Higher end vehicles are increasingly featuring Wi-Fi and GSM connectivity. Tesla allows updates to be rolled out when the car is parked at home in Wi-Fi range, although such updates potentially create an even bigger security update, Munro warned.

“OTA [over the air] updating brings its own security challenges,” Munro said. “Pushing a rogue update to a vehicle should be technically challenging, but we all know that breaches never happen, right... Who has the digital signing keys for updates? Pinch those and you have one of many potential attack vectors.”

“Quality assurance needs to be excellent too; imagine a duff update going out that bricks your vehicle or, worse, causes safety issues. It’s one matter updating the sat-nav database, but another altogether updating the ABS [Anti-lock braking system] software. Can you see the insurance claim? ‘It wasn’t me that crashed the car, it was rogue software that caused it’,” Munro concluded.

Further security related commentary on the Ford software update recall can be found in a post by Graham Cluley on the ESET WeLiveSecurity blog. Cluley notes that Ford’s update is far from unprecedented and is, if anything, the shape of things to come.

For example, BMW was obliged to roll out a patch for a security flaw back in January in order to guard against the possibility that hackers might be able to open the doors of some 2.2 million potentially vulnerable vehicles.

“Cars which are capable of receiving instructions via the internet (such as software updates) are potentially more at risk of being hacked or meddled with than those which don’t,” warned Cluley.®